Evaluating Web Application Firewalls - Things to Keep in Mind

Web Application Firewalls: What Should You Keep In Mind When Evaluating WAF Solutions?

A few weeks ago, SecurityWeek contributor Chris Hinkley published the article “Web Application Firewalls: Three Benefits You May Have Not Considered,” in which he listed some of the possible security gains the technology brings to bear. With the amount of attacks targeting applications today, Web Applications Firewalls (WAFs) are an important line of defense, and the market is full of vendors focused on layering application defenses.

Choosing a solution from the multitude on the market though is not always easy. For those who must, there are two important aspects of the decision-making process to consider. First, the WAF’s features; second, the evaluation criteria you are using to test those features. In these next two columns we’ll focus on each of these aspects. Disclaimer: I work for WAF vendor. Yes, this means I’m biased. But it also means I’ve been researching WAFs and WAF functionalities for several years.

Bottom-Line: The Most Basic of all WAF Features

• Block Attacks - This is a no-brainer. After all, you’re using the WAF to protect your applications. You want to ensure that you’re getting a WAF that performs its job without generating false positives.

• Readable Alerts and Reports – Alerts provide you insight into how accurately the WAF is blocking. An alert which contains the entire Web request allows for quick identification of the problem. With this in hand you can go to the developers in case of a gaping hole or even track data leaks. Together with reports, it provides you with a good picture of the current threat landscape – from a high level overview of threats, to the attack sources and even your most attacked URLs.

• Scalability - You want to make sure that your investment pays off – that it holds up to its task with tomorrow’s traffic, next month’s traffic and traffic a couple of years from now. These are not only traffic growth-over-time considerations – but also seasonal ones. If you are an online shopping company, for example, you’d want to ensure that your WAF is able to scale well during the peak holiday shopping season.

What other features can help guide you in making the correct purchasing choice? The following are not only add-ons to the basic WAF, but enhancements to make sure it’s addressing the different application-targeted threats.

Feature #1 – Positive and Negative Security Models

A negative security model relies on detecting explicit patterns of malicious behavior. Negative security mechanisms include signatures for known exploit vectors and arbitrary restrictions on individual parts in the request. When using this negative security model, you want to ensure that the patterns reflect real time threats. Under this model, you should also be able to customize different policies and apply them to detect potential leakage of sensitive data – for example, noting whether personal health information is leaving through the Web application.

A positive security model assumes the knowledge of normal behavior and considers any deviation from this baseline to be potentially malicious. A WAF should be able to automatically generate a profile of the application based on production traffic in order to model the structure and dynamics of all of its elements. Using the application profile, the WAF distinguishes between legitimate user behavior and illegitimate behavior. When changes are made to the application, the WAF should detect the application changes and automatically adjust its profiles accordingly without any need for manual intervention or tuning.

Ideally, your WAF should be able to combine both security models to improve the accuracy of detection.

Feature #2– Virtual Patching

Although Web application vulnerabilities should be fixed ASAP, this takes time. First, the Web application patch – either proprietary or commercial – needs to be created. Then changes need to go through QA. When this process is lengthy or the deployment of patches is delayed, the application is left vulnerable. To overcome this problem, the WAF should deliver timely updates to security mechanisms (be those signatures, rules or policies) that mitigate recently disclosed vulnerabilities. The WAF should be able to deploy these updates in an automatic manner, providing just in time protection until a vendor patch is available and can be deployed.

This concept goes further when integrating the WAF with a vulnerability assessment solution. Vulnerability assessment tools can be used periodically to reassess new types of attacks, application changes, and configuration changes. The results of this assessment are then fed to the WAF to virtually patch those holes and reduce vulnerability exposure.

Feature #3 – Reputation-Based Services

Considering how automation is used to carry out attacks, you want to reduce the amount of malicious requests that the WAF processes. This is where reputation-based services come in. The WAF can examine the IP of the incoming request and check the geo-location of the request and determine whether it originates from a Tor node or even an active bot. All these aspects can be tell-tale signs of illegitimate requests. The WAF can then very quickly block these requests without even needing to analyze the request itself.

Reputation can even be used to help prevent phishing attacks. Say the application receives a seemingly legitimate request which contains the true credentials of a customer. With reputation-based detection, the WAF can alert if the request is originating from a known phishing site.

These reputation-based services should not be a naïve check on the requestor’s IP, nor a simple decision to block the request. It really is all about IP intelligence – gathering intelligence of the threat landscape, and applying it intelligently in the context of that landscape.

Feature #4 – Web – Fraud Detection

Web fraud solutions are usually applied in various places within the application - during the login stage, cart processing, shipping and billing addresses, credit card processing, etc. These seemingly random pieces of data are then combined by the Web fraud solution to complete the necessary picture and decide whether there is a case of fraud. By applying Web fraud solutions in this traditional manner though, you’re delegating the security to the development team. And that’s precisely the problem. Developers should be focused on developing the best product – and not handling different external add-ons to the logic of their code. This is where the WAF can be very helpful as all fraud detection aspects can be applied within one single central location – a solution which is already dedicated to security.

It’s not only about combining your already-existing fraud solutions within the WAF. There’s also the added benefit of correlating the collected data with your WAF policies. For example, it can combine fraud detection, such as malware-based fraud, with violations resulting from unusual behavior such as navigating immediately to a funds transfer without even first checking the account balance.

Feature #5 – Fighting Business Logic Attacks

Putting into practice the detection and mitigation of business logic attacks is a complex process. It requires detecting the number of clicks, following the logical flow of the application, and even changing responses based on different requests. This is where the WAF comes in – once again, we’re talking about taking the logic out of the application and the developer’s hands and centralizing it in one location without performing any development changes. For example, the developer does not need to perform a test against each request to check whether it is comment spam. It also means that if a request is seemingly benign which would not particularly singled out by the developing team, it would be picked up by the WAF that has the visibility to all traffic. This visibility allows the WAF to aggregate all the seemingly benign requests and detect, for instance, that they are automated and being used to scrape the website.

Hopefully, these features will help you short-list your WAF options. The next obvious question is what criteria do you use to test the WAF? In the next column I’ll list the different testing considerations when discovering what WAF that’s best for you.

Disclosure: I work for a company that offers WAFs as part of its offerings. Yes, you could say I’m biased. But it also means I’ve been researching WAFs and WAF functionalities for several years.

Noa is a private consultant specializing in building thought leadership teams within tech companies. She is one of SecurityWeek’s first columnists with previous columns focusing on trends in the threat landscape. Her current interest lie on the business-side of security. Noa has worked for Imperva as a Sr. Security Strategist and before that, as a Sr. Security Researcher. She holds a Masters in Computer Science (specializing in information security) from Tel-Aviv University.